"Davis and the Jake-Man" is a technology news website discussing subjects of note in the IT industry.

6.12.2016

OEM Bloatware is Still a Security Problem

On May 31st, researchers from Duo Labs published a report detailing the bloatware found on ten new laptops. Bloatware is extra software added by Original Equipment Manufacturers (OEM) before a computer is sold. Often this bloatware is slow, useless and difficult to remove. Some may remember last year’s Superfish and eDellRoot fiascoes.

The researchers discovered and privately disclosed a dozen vulnerabilities, half of which were high-severity. As of the report:

Asus and Acer have not patched their reported vulnerabilities

HP has patched four of seven vulnerabilities

Lenovo will remove their affected software starting late Jun

Dell has quietly updated some of the flaws, and has mitigated others

OEM software tends to have system-level privileges, meaning the software is unaffected by any security protections on the machine. An attacker who can compromise such a level of access will have full control of the machine, and might be impossible to remove. Although they can be a good way for OEMs to make a bit of extra money to offset production costs, OEMs need to take steps to ensure that poorly written software won’t leave users vulnerable.